Back to curl PTS page

Accepted curl 7.52.1-5+deb9u14 (source) into oldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted curl 7.52.1-5+deb9u14 (source) into oldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 17 May 2021 14:30:11 +0000
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1lieG3-0003iR-CD@seger.debian.org>
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 15 May 2021 18:11:21 +0200
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc
Architecture: source
Version: 7.52.1-5+deb9u14
Distribution: stretch-security
Urgency: high
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Description:
 curl       - command line tool for transferring data with URL syntax
 libcurl3   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl4-doc - documentation for libcurl
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Changes:
 curl (7.52.1-5+deb9u14) stretch-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * Backport URL API which is a pre-requisite for CVE-2021-22876.
   * Reference new symbols.
   * CVE-2021-22876: curl is vulnerable to an "Exposure of Private Personal
     Information to an Unauthorized Actor" by leaking credentials in the
     HTTP Referer: header. libcurl does not strip off user credentials from
     the URL when automatically populating the Referer: HTTP request header
     field in outgoing HTTP requests, and therefore risks leaking sensitive
     data to the server that is the target of the second HTTP request.
Checksums-Sha1:
 1f7187f76558b43136aabc9a87b063a2127fb27f 2797 curl_7.52.1-5+deb9u14.dsc
 a081bd50e3865c83325c4f578f575c8d7829d205 62860 curl_7.52.1-5+deb9u14.debian.tar.xz
 91dbe25cc2d8bdbcea4bcfcbbf5665734928515a 10776 curl_7.52.1-5+deb9u14_amd64.buildinfo
Checksums-Sha256:
 eeddbe48282f5ce93ad24d3dd5a431ee294617e104d35ea274b38a0f09c2f568 2797 curl_7.52.1-5+deb9u14.dsc
 1294a6c5f5411b05d4972b97b51b3a72cdc06f250f5d0ccdcf418c5cf3fab615 62860 curl_7.52.1-5+deb9u14.debian.tar.xz
 ca81bb8ceca76c27b3301436501f0bcd488b2895c4c2223d968b0d9535565794 10776 curl_7.52.1-5+deb9u14_amd64.buildinfo
Files:
 d50ae090b8c15710c4915263538c4a88 2797 web optional curl_7.52.1-5+deb9u14.dsc
 57b680fe19414e1e33352b9922adbe3a 62860 web optional curl_7.52.1-5+deb9u14.debian.tar.xz
 c6441044a9e3fadc49539ccc46f5c88f 10776 web optional curl_7.52.1-5+deb9u14_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmCieNcACgkQDTl9HeUl
XjCL9Q//cNiei9GFr9JhPtrr5itBlMDUoujlIhefWDY0u2RAlV6qRbLtToUQFpiz
ovJmUplKHpUJsHddqd06yiWy5DCz5QhpiB+AbNnzUQ8Rw+Kw7L3gcQ8DFaMFdjzq
PcGVRdcSG57ehLpsdL1lw2toh+ZuyE/yI1IVygFsMatFhOD3INO/IaQckziNgbn7
ZsbrsNENG6SdQZOM0+QAB/OJRq5TXSUoAXSSw3yr/Ed6mMg2DE9+WQt16RaJuEhc
OlUPv/1TyjwlGGZGEbBKhBuWxYkX/ARFPZUWKwagZbvvjBx3EY/ph+G5MyPrYObY
TGR2MM1N6yDUYfMbyFlXZb5mngW9JUh7ZtBgyuYrqNdS9CKZSVpuHsUbt14hoD1z
afrG5Ch3lvGpIczKmmYmfrWQUMbq2wu41/kKMGi67QSlx64zPR9MXxuO8Ho8TD2P
t/nmY5E5ODfI+H7xuU7aBT1TbG+b7XpqCzLLgI9wuvvBH151YkVz3VgdhbUNIGls
o11UG6zQqCpV6WBvPFudhG5h0fVDmp3fQZt1Nt0ijvgIuqgxMTLaH/NdR+FCNZor
5KyOG/cTTLZj10t6sTczmq5XoJVpNsKmpznAqcivjkcwjnB/Az+h+dgMaNciuxMb
0H8K+M9mqlFyv1DqCe/HXL9U6Fq8pBTN9edtD0P1spoTGYttRW4=
=LKjW
-----END PGP SIGNATURE-----